Spammed Messages Cash In on London 2012 Olympics

Cybercriminals are known opportunists. They will take advantage of anything newsworthy and craft their schemes around (for example) sporting events like FIFA and the Olympics. As the London 2012 Olympics opening event draws near, we can expect a surge of spammed messages that leverage this event.

Below are some spammed messages we’ve spotted using the 2012 Olympics as bait, one involved an email that says “winning notification”, another message asks for personal details in exchange for a prize, and another that asks users to notify a specific contact person. Users who fall for any of these traps are at risk of having their information stolen or their machines infected with malware. Some spam may even lead to monetary loss.

Prize, Free Tickets in Exchange for Your Information

The first Olympic-related spam we’ve seen is an email that asks for personal information. For users to willingly give these details, the message inform recipients that they won free tickets. However to claim their prizes, users must divulge personal information such as home address/location, marital status, and even occupation. The message also stretches the truth further by informing users they won a big amount of cash prize.

The scammers behind this spam may use the gathered information in their future malicious schemes. They may also sell data to other cybercriminal groups.

Malware Disguised as Prize Notification

We have also encountered several messages supposedly related to London Olympics 2012 that arrive with attachments disguised as “winning notifications” and contain the details of the prize. Curious users who download and open the attachments are actually executing malicious files. Below is a sample email:

In a different spam run, we noticed a message with an attached file that is actually a Trojan (detected as TROJ_ARTIEF.ZIGS) that exploits RTF Stack Buffer Overflow Vulnerability (CVE-2010-3333). Once exploit is successful, the malware drops the backdoor BKDR_CYSXL.A. Based on our analysis, this backdoor connects to remote user who may perform commands onto the infected system. What’s more alarming is that systems infected with backdoors are vulnerable to other threats, which may include malware that steal online banking credentials (passwords, usernames etc.).

Spam Asking Users to Contact Specific People

The third type of spam may look legitimate at first. To look authentic, the messages may spoof well-known entities like Visa and contain contact details of a supposed coordinator or contact person affiliated with the fake promo.

In the message, recipients are instructed to contact the supposed “coordinator” indicated in these messages. Once users send replies to the addresses, they will receive a reply from the scammer with instructions on how to claim their prizes. Eventually, users would be asked to disclose personal information. The scammers behind this threat may ask users for account details or deposit money to specific bank accounts, in order to get their prize.

Why These Spam Remain

These types of scams are nothing new. Some of its previous incarnations include spam claiming to be associated with the Beijing Olympics 2008 and the Torino Winter Games. So why is this still a threat to users? Cybercriminals are still earning money from this threat. Senior Threat Researcher Robert McArdle believes that “…attackers are still using these because these scams are still giving them successful margins. Social engineering has worked for years and there are little signs of that changing.” Thus, so long as users are still falling for this trap, scammers will continue to create new spam runs using events like the London Olympics to make a quick buck.

Trend Micro protects users from this threat via Smart Protection Network™, specifically web reputation service that blocks these messages from even arriving to users’ in-boxes. File reputation service, on the other hand, detects and deletes the related malware.

Users can also prevent these threats by doing some simple checking of emails. They should be wary of these tell-tale signs:

About site

This is experimental project, which search automatically antivirus, security, malware, etc. news and alerts. If you want add/delete source or post, let us know. We will add/delete it. We'd like make place, where you can find security information from various sources with correct backlink back to source.